COMPUTATIONAL CLASS FIELD THEORY 



Henri Cohen and Peter Stevenhagen 

Abstract. Class field theory furnishes an intrinsic description of the abelian exten- 
sions of a number field that is in many cases not of an immediate algorithmic nature. 
We outline the algorithms available for the explicit computation of such extensions. 



1. Introduction 

Class field theory is a 20th century theory describing the set of finite abelian ex- 
tensions L of certain base fields K of arithmetic type. It provides a canonical de- 
scription of the Galois groups Gal(L/K) in terms of objects defined 'inside K ', and 
gives rise to an explicit determination of the maximal abelian quotient C7|^ of the 
absolute Galois group Gk of K . In the classical examples K is either a global field, 
i.e., a number field or a function field in one variable over a finite field, or a local 
field obtained by completing a global field at one of its primes. In this paper, which 
takes an algorithmic approach, we restrict to the fundamental case in which the 
base field K is a number field. By doing so, we avoid the complications arising for 
p-extensions in characteristic p > 0. 

The description of G^ for a number field K that is provided by class field theory 
can be seen as a first step towards a complete description of the full group Gk C Gq. 
At the moment, such a description is still far away, and it is not even clear what kind 
of description one might hope to achieve. Grothendieck's anabelian Galois theory 
and his theory of dessins d'enfant [17] constitute one direction of progress, and the 
largely conjectural Langlands program [2] provides an other approach. Despite all 
efforts and partial results [26], a concrete question such as the inverse problem of 
Galois theory, which asks whether for a number field K , all finite groups G occur 
as the Galois group of some finite extension L/K, remains unanswered for all K . 

A standard method to gain insight into the structure of Gk, and to realize 
certain types of Galois groups over K as quotients of Gk, consists in studying the 
action of Gk on 'arithmetical objects' related to K , such as the division points 
in Q of various algebraic groups defined over K. A good example is the Galois 
representation arising from the group i?[m](Q) of m-torsion points of an elliptic 
curve E that is defined over K . The action of Gk on E[m](Q,) factors via a finite 
quotient T m C GL2(Z/mZ) of Gk, and much is known [19] about the groups T m . 
Elliptic curves with complex multiplication by an order in an imaginary quadratic 
field K give rise to abelian extensions of K , and yield a particularly explicit instance 
of class field theory. 
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For the much simpler example of the multiplicative group G m , the division points 
of G m (Q) are the roots of unity in Q. The extensions of K they generate are the 
cyclotomic extensions of K. As the Galois group of the extension K C K(( m ) 
obtained by adjoining a primitive m-th root of unity Cm to K naturally embeds into 
(Z/raZ)*, all cyclotomic extensions are abelian. For K = Q, Kronecker discovered 
in 1853 that all abelian extensions are accounted for in this way. 

1.1. Kronecker- Weber theorem. Every finite abelian extension Q C L is con- 
tained in some cyclotomic extension Q C Q(C™)- 

Over number fields K ^ Q, there are more abelian extensions than just cyclotomic 
ones, and the analogue of 1.1 is what class field theory provides: every abelian exten- 
sion K C L is contained in some ray class field extension K C H m . Unfortunately, 
the theory does not provide a 'natural' system of generators for the fields H m to 
play the role of the roots of unity in 1.1. Finding such a system for all K is one of 
the Hilbert problems from 1900 that is still open. Notwithstanding this problem, 
class field theory is in principle constructive, and once one finds in some way a 
possible generator of H m over K, it is not difficult to verify that it does generate 
H m . The information on H m we have is essentially an intrinsic description, in terms 
of the splitting and ramification of the primes in the extension K C H m , of the 
Galois group Gal(H m /K) as a ray class group Cl m . This group replaces the group 
(Z/mZ)* that occurs implicitly in 1.1 as the underlying Galois group: 

(Z/mZ)* Gal(Q(C m )/Q) 
(a mod m) — ► (a a : Cm ^ Cm)- 

We can in principle find generators for any specific class field by combining our 
knowledge of its ramification data with a classical method to generate arbitrary 
solvable field extensions: the adjunction of radicals. More formally, we call an ex- 
tension L of an arbitrary field K a radical extension if L is contained in the splitting 
field over K of a finite collection of polynomials of the form X n — a, with n G Z>i 
not divisible by char(if ) and a G K. If the collection of polynomials can be chosen 
such that K contains a primitive n-th root of unity for each polynomial X n — a 
in the collection, then the radical extension K C L is said to be a Kummer exten- 
sion. Galois theory tells us that every Kummer extension is abelian and, conversely, 
that an abelian extension K C L of exponent n is Kummer in case K contains a 
primitive n-th root of unity. Here the exponent of an abelian extension K C L is 
the smallest positive integer n that annihilates Gdl(L/K). Thus, for every finite 
abelian extension K C L of a number field X, there exists a cyclotomic extension 
if C K(Q such that the 'base-changed' extension K(() C L(C) is Kummer. 

In Section 5, we compute the class fields of K as subfields of Kummer extensions 
of K(Q for suitable cyclotomic extensions K(Q of K. The practical problem of the 
method is that the auxiliary fields K{Q may be much larger than the base field K, 
and this limits its use to not-too-large examples. 

If K is imaginary quadratic, elliptic curves with complex multiplication solve 
the Hilbert problem for K, and this yields methods that are much faster than 
the Kummer extension constructions for general K. We describe these complex 
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multiplication methods in some detail in our Sections 6 to 8. We do not discuss 
their extension to abelian varieties with complex multiplication [20], or the ana- 
lytic generation of class fields of totally real number fields K using Stark units [7, 
Chapter 6]. 

2. Class field theory 

Class field theory generalizes 1.1 by focusing on the Galois group (Z/mZ)* of the 
cyclotomic extension Q C Q(Cm) rather than on the specific generator ( m . The 
extension Q C Q(Cm) is unramified at all primes p \ m, and the splitting behavior 
of such p only depends on the residue class (p mod m) G (Z/mZ)*. More precisely, 
the residue class degree f p = [F p (£ m ) : F p ] of the primes over p \ m equals the 
order of the Frobenius automorphism (a p : ( m i— > <^J G Gal(Q(£ m )/Q), and this is 
the order of (p mod m) G (Z/mZ)* under the standard identification 1.2. 

Now let K C L be any abelian extension of number fields. Then we have [23, 
Section 15], for each prime p of K that is unramified in L, a unique element Frob p G 
Gal(L/K) that induces the Frobenius automorphism x i— > x^ kp on the residue 
class field extensions k p C k q for the primes q in L extending p. The order of this 
Frobenius automorphism Frobp of p in Gal(L/K) equals the residue class degree 
[k q : k p ], and the subgroup (Frobp) C Gal(L/K) is the decomposition group of p. 

We define the Artin map for L/K as the homomorphism 

(21) 1>l/k: Ik(Al/k) 1 — ► Gsl{L/K) 

p i — >■ Frobp 

on the group Ik(A l / k ) of fractional Z^-ideals generated by the primes p of K 
that do not divide the discriminant A L / K of the extension K C L. Such primes p 
are known to be unramified in L by [23, Theorem 8.5]. For an ideal a G Ik(A l / k ), 
we call iPl/k{o) the Artin symbol of a in Gsl{L/K). 
For K = Q, we can rephrase 1.1 as follows. 

2.2. Kronecker- Weber theorem. If Q C L is an abelian extension, there exists 
an integer m G Z >0 such that the kernel of the Artin map V'l/q contains all Z-ideals 
xZ with x > and x = 1 mod m. 

The equivalence of 1.1 and 2.2 follows from the analytic fact that an extension of 
number fields is trivial if all primes outside a density zero subset split completely 
in it. Thus, if all primes p = 1 mod m split completely in Q C L, then all primes of 
degree one are split in Q(Cm) C L(( m ) and L is contained in the cyclotomic field 

Q(Crn)- 

The positivity condition on x in 2.2 can be omitted if the primes p = — 1 mod m 
also split completely in L, i.e., if L is totally real, and contained in the maximal 
real subfield Q(Cm + Cm 1 ) °f Q(Cm)- The values of m that one can take in 2.2 are 
the multiples of some minimal positive integer, the conductor of Q C L. It is the 
smallest integer m for which Q(Cm) contains L. The prime divisors of the conductor 
are exactly the primes that ramify in L, and p 2 divides the conductor if and only 
if p is wildly ramified in L. 
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For a quadratic field L of discriminant d, the conductor equals \d\, and 2.2 states 
that the Legendre symbol (|) only depends on x modulo This is Euler's version 
of the quadratic reciprocity law. The main statement of class field theory is the 
analogue of 2.2 over arbitrary number fields K. 

2.3. Artin's reciprocity law. If K C L is an abelian extension, there exists 
a non-zero ideal mo C Zk such that the kernel of the Artin map ipL/K i> n (2-1) 
contains all principal Zx-ideals xZk with x totally positive and x = 1 mod mo- 

This somewhat innocuous looking statement is a highly non-trivial fact. It shows 
that there is a powerful global connection relating the splitting behavior in L of 
different primes of K. Just like 2.2 implies the quadratic reciprocity law, Artin's 
reciprocity law implies the general power reciprocity laws from from algebraic num- 
ber theory (see [1, Chapter 12, §4] or [5, p. 353]). 

It is customary to treat the positivity conditions at the real primes of K and the 
congruence modulo mo in 2.3 on equal footing. To this end, one formally defines a 
modulus m of K to be a non-zero Z^-ideal mo times a subset moo of the real primes 
of K. For a modulus m = raotrioo, we write 

x = 1 mod* m 

if x satisfies ord p (x — 1) > ord p (m ) at the primes p dividing the finite part m , 
and x is positive at the real primes in the infinite part m^ of m. 

In the language of moduli, 2.3 asserts that there exists a modulus m such that the 
kernel keri/j L / K of the Artin map contains the ray group R m of principal Z/c-ideals 
xZk generated by elements x = 1 mod* m. As in the case of 2.2, the set of these 
admissible moduli for K C L consists of the multiples m of some minimal modulus 
Sl/k-, the conductor of K C L. The primes occurring in ^l/k are the primes of K, 
both finite and infinite, that ramify in L. An infinite prime of K is said to ramify 
in L if it is real but has complex extensions to L. As for K = Q, a finite prime p 
occurs with higher multiplicity in the conductor if and only if it is wildly ramified 
in L. 

If m = mo moo is an admissible modulus for K C L, and I m denotes the group 
of fractional Z^-ideals generated by the primes p coprime to mo, the Artin map 
induces a homomorphism 

1>l/k ■ Cl m = I m /R m — Gal(L/ K) 

" p; • • ln.i,, 

on the ray class group Cl m = I m / R m modulo m. Our earlier remark on the triviality 
of extensions in which almost all primes split completely implies that it is surjective. 
By the Chebotarev density theorem [25] , even more is true: the Frobenius automor- 
phisms Frobp for p G I m are equidistributed over the Galois group Gal(L/K). In 
particular, a modulus m is admissible for an abelian extension K C L if and only 
if (almost) all primes p G -R m of K split completely in L. 

As the order of the Frobenius automorphism Frobp G Gal(L/K) equals the 
residue class degree f p of the primes q in L lying over p, the norm N L / K (q) = p-^ 3 
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of every prime ideal q in coprime to m is contained in the kernel of the Artin 
map. A non-trivial index calculation shows that the norms of the Z^-ideals coprime 
to m actually generate the kernel in (2.4). In other words, the ideal group A m C I m 
that corresponds to L in the sense that we have kerip L / K = A m /R m: is equal to 

(2.5) A m = N L/K (I mZL )-R m . 

The existence theorem from class field theory states that for every modulus m 
of K, there exists an extension K C L = H m for which the map ipL/K in (2-4) is 
an isomorphism. Inside some fixed algebraic closure K of K, the extension H m is 
uniquely determined as the maximal abelian extension L of K in which all primes in 
the ray group R m split completely. It is the ray class field H m modulo m mentioned 
in the introduction, for which the analogue of 1.1 holds over K. If K C L is abelian, 
we have L C H m whenever m is an admissible modulus for L. For L = H m: we have 
An = -Rm in (2.5), and an Artin isomorphism Cl m Gal(H m /K). 

2.6. Examples. 1. It will not come as a surprise that for K = Q, the ray class 
field modulo (m) • oo is the cyclotomic field Q(Cm), and the ray class group Cl^.^ 
the familiar group (Z/mZ)* acting on the m-th roots of unity. Leaving out the 
real prime oo of Q, we find the ray class field modulo (m) to be the maximal real 
subfield Q(Cm + Cm 1 ) °f Q(Cm)- This is the maximal subfield in which the real prime 
oo is unramified. 

2. The ray class field of conductor m = (1) is the Hilbert class field H = Hi of K. 
It is the largest abelian extension of K that is unramified at all primes of K, both 
finite and infinite. As I\ and R\ are the groups of all fractional and all principal 
fractional Z^-ideals, respectively, the Galois group Gal(H/K) is isomorphic to the 
ordinary class group CIk of K, and the primes of K that split completely in H 
are precisely the principal prime ideals of K. This peculiar fact makes it possible 
to derive information about the class group of K from the existence of unramified 
extensions of K, and conversely. 

The ray group R m is contained in the subgroup P m C I m of principal ideals in 7 m , 
and the quotient I m /P m is the class group Cl^ of K for all m. Thus, the ray class 
group Cl m = I m /R m is an extension of Cl^ by a finite abelian group P m /R m that 
generalizes the groups (Z/mZ)* from 1.2. More precisely, we have a natural exact 
sequence 

(2.7) Z* K — (Z K /m)* — Cl m — Cl K — 

in which the residue class of x € Z^ coprime to mo in the finite group (Z^/m)* = 
(Z K /m )* x ripimoo ( — -0 consists of its ordinary residue class modulo m and the 
signs of its images under the real primes plm^. This group naturally maps onto 
Pm/Rm C Cl m , with a kernel reflecting the fact that generators of principal Zk- 
ideals are only unique up to multiplication by units in Zk- 

Interpreting both class groups in 2.7 as Galois groups, we see that all ray class 
fields contain the Hilbert class field H = Hi from 2.6.2, and that we have an Artin 
isomorphism 

(2.8) (Z K /m)7im[Zy Gal(H m /H) 
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for their Galois groups over H. By 2.6.1, this generalizes the isomorphism 1.2. 

In class field theoretic terms, we may specify an abelian extension K C L by 
giving an admissible modulus m for the extension together with the corresponding 
ideal group 

(2.9) A m = ker[/ m -> Gal{L/K)] 

arising as the kernel of the Artin map 2.4. In this way, we obtain a canonical 
bijection between abelian extensions of K inside K and ideal groups R m C A m C I m 
of K, provided that one allows for the fact that the 'same' ideal group A m can be 
defined modulo different multiples m of its conductor, i.e., the conductor of the 
corresponding extension. More precisely, we call the ideal groups A mi and A m2 
equivalent if they satisfy A mi D I m = A m2 n I m for some common multiple m of mi 
and rri2. 

Both from a theoretical and an algorithmic point of view, 2.5 provides an im- 
mediate description of the ideal group corresponding to L as the norm group 
A m = N L / K (I m z L ) ■ R m as soon as we are able to find an admissible modulus 
m for L. In the reverse direction, finding the class field L corresponding to an ideal 
group A m is much harder. Exhibiting practical algorithms to do so is the principal 
task of computational class field theory, and the topic of this paper. Already in the 
case of the Hilbert class field H of K from 2.6.2, we know no 'canonical' generator 
of H, and the problem is non-trivial. 

3. Local aspects: ideles 

Over K = Q, all abelian Galois groups are described as quotients of the groups 
(Z/mZ)* for some modulus m G Z>i. One may avoid the ubiquitous choice of 
moduli that arises when dealing with abelian fields by combining the Artin isomor- 
phisms 1.2 at all 'finite levels' m into a single pro finite Artin isomorphism 

(3.1) lim(Z/mZ)* = Z* Gal(Q ab /Q) 

between the unit group Z* of the profinite completion Z of Z and the absolute 
abelian Galois group of Q. The group Z* splits as a product Yl p Zp by the Chinese 
remainder theorem, and Q a b is obtained correspondingly as a compositum of the 
fields Q(C P °°) generated by the p-power roots of unity. The automorphism corre- 
sponding to u = (u p )p G Z* acts as ( i— > ( Up on p-power roots of unity. Note that 
the component group Z* C Z* maps to the inertia group at p in any finite quotient 
Gal(L/Q) of Gal(Q ab /Q). 

For arbitrary number fields K, one can take the projective limit in 2.7 over all 
moduli and describe G^K^/K) by an exact sequence 

(3.2) 1 — Z* K — % x n p rea i(-l> ^ Gal(iWK) — CI* — 1, 

which deals with the finite primes occurring in Zi* K = f| finite Up and the infinite 
primes in a somewhat asymmetric way. Here ipK maps the element —1 at a real 
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prime p to the complex conjugation at the extensions of p. The image of ipK is the 
Galois group Gal(K^/H) over the Hilbert class field H, which is of finite index 
hx = #Clx in Qdl(K a \>/K). For an abelian extension L of K containing H, the 
image of the component group Up C Z* K in Gal(L/H) is again the inertia group 
at p in Gal(L/K). As H is totally unramified over K, the same is true in case 
L does not contain H: the inertia groups for p in Gal{LH / K) and Gal(L/K) are 
isomorphic under the restriction map. 

A more elegant description of Gal^K^/K) than that provided by the sequence 
3.2 is obtained if one treats all primes of K in a uniform way, and redefines the 
Artin map ipK, as we will do in 3.7, using the idele group 

A* K = Y\' p K* = {(x p )p : x p G Up for almost all p} 

of K . This group [23, Section 14] consists of those elements in the Cartesian product 
of the multiplicative groups K* at all completions K* of K that have their p- 
component in the local unit group Up for almost all p. Here Up is, as before, the 
unit group of the valuation ring at p in case p is a finite prime of K. For infinite 
primes p, the choice of Up is irrelevant as there are only finitely many such p. We 
take Up = K*, and write U^, to denote Yip infinite -^p = ^ ®Q Note that we 

haven p finite^* = %■ 

The topology on is the restricted product topology: elements are close if they 
are p-adically close at finitely many p and have a quotient in Up for all other p. 
With this topology, K* embeds diagonally into A^ as a discrete subgroup. As the 
notation suggests, A^ is the unit group of the adele ring = Yl'p -^p; the subring 
°f lip Kp consisting of elements having integral components for almost all p. 

To any idele (x p ) P: we can associate an ideal xZk = Yip finite p ordp( - Xp - ) , and this 
makes the group Ik of fractional Z^-ideals into a quotient of A* K . For a global 
element x G K* C A^, the ideal xZk is the principal Z^-ideal generated by x, so 
we have an exact sequence 

(3.3) 1 — > Z* K — > Z* K xf/„-^ A* K /K* — > C\ K — > 1 

that describes the idele class group A* K /K* of K in a way reminiscent of 3.2. 

In order to obtain Gal(K a ]j/K) as a quotient of A* K /K*, we show that the ray 
class groups Cl m defined in the previous section are natural quotients of A* K /K* . 
To do so, we associate to a modulus m = motrioo of K an open subgroup W m C A^ 
in the following way. Write m = Yl p P n ^ as a formal product, with n(p) = ord p (mo) 
for finite p, and n(p) G {0, 1} to indicate the infinite p in trioo. Now put 

w m = U P Up {n(p)) 

(k) 

for subgroups Up C K* that are defined by 

Up if k = 0; 

U p (k) = <J 1 + p k if p is finite and k > 0; 

U p + C Up = R* if p is real and k = 1. 
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Here we write Up for real p to denote the subgroup of positive elements in Up. As 
C* and R> have no proper open subgroups, one sees from the definition of the 
restricted product topology on that a subgroup H C A* K is open if and only if 
it contains W m for some modulus m. 

3.4. Lemma. For every modulus m = Yl p p n ^ of K , there is an isomorphism 

A* K /K*W m Cl m 

that maps (xp) p to the class ofYip fi n i te p OYdp ^ yXp \ Here y G K* is a global element 
satisfying yx p G Up^ for all p|m. 

Proof. Note first that the global element y required in the definition exists by 
the approximation theorem. The precise choice of y is irrelevant, as for any two 
elements y,y' satisfying the requirement, we have y/y' = 1 mod* m. We obtain a 
homomorphism A^ — > Cl m that is surjective as it maps a prime element 7r p at a 
finite prime p \ m to the class of p. Its kernel consists of the ideles that can be 
multiplied into W m by a global element y G K* . □ 

If m is an admissible modulus for the finite abelian extension K C L, we can 
compose the isomorphism in 3.4 with the Artin map 2.4 for K C L to obtain an 
idelic Artin map 

(3.5) ^ L/K : A* K /K* — Gal(L/K) 

that no longer refers to the choice of a modulus m. This map, which exists as a 
corollary of 2.3, is a continuous surjection that maps the class of a prime element 
7T P G K* C A* K to the Frobenius automorphism Frob p G Gal(L/K) whenever p is 
finite and unramified in K C L. 

For a finite extension L of K, the adele ring A L is obtained from A K by a 
base change if C I, so we have a norm map N L / K : A L — > that maps A^ 
to A*^ and restricts to the field norm on L* C A*^. As it induces the ideal norm 
7l — > Ik on the quotient 7l of A* K , one deduces that the kernel of 3.5 equals 
(K* ■ N L / K [A* L ]) mod K* , and that we have isomorphisms 

(3.6) A K /K*N L/K [Al] = I m /A m Gal(L/K), 

with A m the ideal group modulo m that corresponds to L in the sense of 2.9. Taking 
the limit in 3.5 over all finite abelian extensions K C L inside K, one obtains the 
idelic Artin map 

(3.7) Vx: A* K /K* — ► G'f? = Gal(K ah /K). 

This is a continuous surjection that is uniquely determined by the property that 
the -i/^-image of the class of a prime element tc p G K* C A^ maps to the Frobenius 
automorphism Frob p G Gal(L/K) for every finite abelian extension K C L in which 
p is unramified. It exhibits all abelian Galois groups over if as a quotient of the 
idele class group A* K /K* of K. 



COMPUTATIONAL CLASS FIELD THEORY 



9 



The kernel of the Artin map 3.7 is the connected component of the unit element 
in A* K /K*. In the idelic formulation, the finite abelian extensions of K inside K 
correspond bijectively to the open subgroups of / K* under the map 

L .— V^tGaKiW^)] = (K* ■ N L/K [A* L }) mod K* . 

In this formulation, computational class field theory amounts to generating, for any 
given open subgroup of A* K /K*, the abelian extension K C L corresponding to it. 

3.8. Example. Before continuing, let us see what the idelic reformulation of 3.1 
comes down to for K = Q. Every idele x = ((x p ) p ,x 00 ) G Aq can uniquely be 

written as the product of the rational number sign(a; 00 ) • Y[ p p ordp ^ Xp ^ G Q* and a 

'unit idele' u x G R>o x FT Z* = R >0 x Z*. In this way, the Artin map 3.7 becomes 
a continuous surjection 

V> Q : A Q /Q* = Z* x R >0 — Gal(Q ab /Q). 

Its kernel is the connected component R>o x {1} of the unit element in Aq/Q*. 
Comparison with 3.1 leads to a commutative diagram of isomorphisms 



-l 



(3.9) 



(3-1) 



A Q /(Q*-R >0 ) Gal(Q ab /Q), 



in which the upper horizontal map is not the identity. To see this, note that the 
class of the prime element £ G Q| C Aq in Aq/(Q* ■ R>o) is represented by the 

idele x = (x p ) p G Z* having components x p = £~ x for p ^ £ and xg = 1. This idele 
maps to the Frobenius of i, which raises roots of unity of order coprime to £ to 
their £-th power. As x is in all W m for all conductors m = £ k , it fixes £-power roots 
of unity. Thus, the upper isomorphism "—1" is inversion on Z*. 

Even though the idelic and the ideal group quotients on the left hand side of the 
arrow in 3.6 are the 'same' finite group, it is the idelic quotient that neatly encodes 
information at the ramifying primes p|m, which seem 'absent' in the other group. 
More precisely, we have for all primes p an injective map K* — > A* K /K* that can 
be composed with 3.7 to obtain a local Artin map ifjK p '■ K* — > Gal(L/K) at every 
prime p of K. If p is finite and unramified in K C L, we have U p C ker-i/^p and an 
induced isomorphism of finite cyclic groups 

K;/{4 v )U p = K;/N Lq/Kp [L* q ] ^ (Frob p ) = Gal(L q /K p ), 

since Frobp generates the decomposition group of p in Gal(L/K), which may be 
identified with the Galois group of the local extension K p C L q at a prime q|p in L. 
It is a non-trivial fact that 3.5 induces for all primes p of K, also the ramifying and 
the infinite primes, a local Artin isomorphism 

(3-10) ip Lq/Kp : K;/N Lq/Kv [L*] Gal(L q /.Kp). 
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In view of our observation after 3.2, it maps U p /N Lq / Kp [U q ] for finite p isomorphi- 
cally onto the inertia group of p. 

We can use 3.10 to locally compute the exponent n(p) to which p occurs in the 
conductor of K C L: it is the smallest no n- negative integer k for which we have 
Up C Ni Jci iK p [L*]. For unramified primes p we obtain n(p) = 0, as the local norm 
is surjective on the unit groups. For tamely ramified primes we have n(p) = 1, and 
for wildly ramified primes p the exponent n(p) may be found by a local computation. 
In many cases it is sufficient to use an upper bound coming from the fact that every 
d-th power in K* is a norm from L q , with d the degree of K p C L q (or even K C L). 
Using Hensel's lemma [4], one then finds 

(3.11) n(p) < e(p/p) + ord p (e p )) + 1, 

where e(p/p) is the absolute ramification index of p over the underlying rational 
prime p, and e p the ramification index of p in K C L. Note that e p is independent 
of the choice of an extension prime as K C L is Galois. 

4. Computing class fields: preparations 

Our fundamental problem is the computation of the class field L that corresponds 
to a given ideal group A m of K in the sense of 2.5. One may 'give' A m by specifying 
m and a list of ideals for which the classes in the ray class group Cl m generate A m . 
The first step in computing L is the computation of the group I m /A m that will 
give us control of the Artin isomorphism I m /A m Gdl(L/K). As linear algebra 
over Z provides us with good algorithms [7, Section 4.1] to deal with finite or even 
finitely generated abelian groups, this essentially reduces to computing the finite 
group Cl m of which I m /A m is quotient. 

For the computation of the ray class group Cl m modulo m = m ■ moo, one 
computes, in line with [18], the three other groups in the exact sequence 2.7 in 
which it occurs, and the maps between them. The class group Cl^ and the unit 
group Z* K in 2.7 can be computed using the algorithm described in [23, Section 12], 
which factors smooth elements of over a factor base. As this takes exponential 
time as a function of the base field K, it can only be done for moderately sized K . 
For the group (Z^/rrio)*, one uses the Chinese remainder theorem to decompose 
it into a product of local multiplicative groups the form (Zx/p fc )*- Here we need 
to assume that we are able to factor mo, but this is a safe assumption as we are 
unlikely to encounter extensions for which we cannot even factor the conductor. The 
group (Z^/p fc )* is a product of the cyclic group k p = (Zx/p)* and the subgroup 
(1 + p)/(l+p fc ), the structure of which can be found inductively using the standard 
isomorphisms (1 + p a )/(l + p a+1 ) = k p and, more efficiently, 

(i + p a )/(i + p 2a ) ^p a /p 2a 

between multiplicative and additive quotients. In many cases, the result can be 
obtained in one stroke using the p-adic logarithm [7, Section 4.2.2]. Finding Cl m 
from the other groups in 2.7 is now a standard application of linear algebra over Z. 
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The quotient I m /A m gives us an explicit description of the Galois group Gsl{L/K) 
in terms of Artin symbols of Z^-ideals. 

For the ideal group A m , we next compute its conductor f, which may be a proper 
divisor of m. This comes down to checking whether we have A m D I m n R n for 
some modulus n|m. Even in the case A m = R m the conductor can be smaller 
than m, as the trivial isomorphism (Z/6Z)* (Z/3Z)* of ray class groups over 
K = Q shows. The conductor f obtained, which is the same as the conductor fi/K 
of the corresponding extension, is exactly divisible by the primes that ramify in 
K C L. In particular, we know the signature of L from the real primes dividing f. 
With some extra effort, one can even compute the discriminant A L / K using Hasse's 
Fiihrerdiskriminantenproduktformel 

(4-2) A L/K = J] f( x ) . 

X:/mMm — C* 

Here x ranges over the characters of the finite group I m /A m = Gal{L/K), and 
f(x)o denotes the finite part of the conductor f(x) of the ideal group A x modulo m 
satisfying A x /A m = ker%. All these quantities can be computed by the standard 
algorithms for finite abelian groups. 

4.3. Example. If K C L is cyclic of prime degree £, we have a trivial character of 
conductor (1) and t — 1 characters of conductor Sl/k-, so 4.2 reduces to 

Al/k = (fL/K)o~ 1 - 

In particular, we see that the discriminant of a quadratic extension K C L is not 
only for K = Q, but generally equal to the finite part of the conductor of the 
extension. 

Having at our disposal the Galois group Gal(L/K), the discriminant A L / K and 
the Artin isomorphism I m /A m Gal(L/K) describing the splitting behavior of 
the primes in K C L, we proceed with the computation of a generator for L over 
K, i.e., an irreducible polynomial in K[X] with the property that its roots in K 
generate L. 

As the computation of class fields is not an easy computation, it is often desirable 
to decompose Gal(L/K) as a product YliGal(Li/K) of Galois groups Gal(Li/K) 
and to realize L as a compositum of extensions Lj that are computed separately. 
This way one can work with extensions L/K that are cyclic of prime power order, 
or at least of prime power exponent. The necessary reduction of the global class 
field theoretic data for L/K to those for each of the Lj is only a short computation 
involving finite abelian groups. 

5. Class fields as Kummer extensions 

Let K be any field containing a primitive n-th root of unity £ n , and K C L an 
abelian extension of exponent dividing n. In this situation, Kummer theory [13, 
Chapter VIII, §6-8] tells us that L can be obtained by adjoining to K the n-th 
roots of certain elements of K. More precisely, let Wl = K* flL* n be the subgroup 
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of K* of elements that have an n-th root in L. Then we have L = K( ^/Wl), and 
there is the canonical Rummer pairing 

Gal(L/ K) x W L /K* n — (C n ) 



By canonical, we mean that the natural action of an automorphism r G Aut(-KT) 
on the pairing for K C L yields the Kummer pairing for tK C tL: 

(5.2) (rfrr" 1 ,™) = (a,w) T . 

The Kummer pairing is perfect, i.e., it induces an isomorphism 

(5.3) W L /K* n Hom(Gal(L/K), C*). 

In the case where Gal(L/K) is cyclic of order n, this means that we have L = 
K( tfd) and W L = K* D L* n = (a) ■ K* n for some a G if. If ^ also generates L 
over K, then a and (3 are powers of each other modulo n-th powers. 

We will apply Kummer theory to generate the class fields of a number field K. 
Thus, let L is the class field of K from Section 4 that is to be computed. Suppose 
that we have computed a 'small' modulus f for L that is only divisible by the 
ramifying primes, e.g. the conductor Sl/Ki and an ideal group Af for L by the 
methods of Section 4. With this information, we control the Galois group of our 
extension via the Artin isomorphism If/Af Gal(L/K). Let n be the exponent of 
Gal(L/K). Then we can directly apply Kummer theory if K contains the required 
n-th roots of unity; if not, we need to pass to a cyclotomic extension of K first. 
This leads to a natural case distinction. 

Case 1: K contains a primitive n-th root of unity 

Under the restrictive assumption that K contains £ n , the class field L is a Kummer 
extension of K, and generating L = K( y/W£) comes down to finding generators 
for the finite group Wl/K* u . We first compute a finite group containing Wl/K* u . 
This reduction is a familiar ingredient from the proofs of class field theory [1, 5]. 

5.4. Lemma. Let K C L be finite abelian of exponent n, and assume ( n G K . 
Suppose S is a finite set of primes of K containing the infinite primes such that 

1. K C L is unramified outside S; 

2. C\k/CV^ is generated by the classes of the finite primes in S. 

Then the image of the group Us of S -units in K* / K* n is finite of order n# s , and 
it contains the group Wl/K* u from (5.1). 

The first condition in 5.4 means that S contains all the primes that divide our small 
modulus f . The second condition is automatic if the class number of K is prime to n, 
and it is implied by the first if the classes of the ramifying primes generate Cl^ / Cl^. 
Note that any set of elements of Cl^ generating CIk/CI^- actually generates the 
full 'n-part' of the class group, i.e., the product of the p-Sylow subgroups of C\k 
at the primes p\n. In general, there is a lot of freedom in the choice of primes in S 
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outside f. One tries to have S 'small' in order to minimize the size n #s of the group 
(U s ■ K* n )/K* n containing W L /K* n . 

Proof of 5.4. By the Dirichlet unit theorem [23, Theorem 10.9], the group Us of 
S-units of K is isomorphic to hk x Z# s_1 . As hk contains £ n , the image (Us • 
K* n ) /K* n 9* Us/Ug of U s in K*/K* n is finite of order n# s . 

In order to show that (Us ■ K* n )/K* n contains W L /K* n , pick any a G W L . As 
K C K( yfa) is unramified outside S, we have (a) = asb n for some product as 
of prime ideals in S and b coprime to all finite primes in S. As the primes in S 
generate the n-part of Cl^-, we can write b = bgc with bg a product of prime ideals 
in S and c an ideal of which the class in CIk is of order u coprime to n. Now a u 
generates an ideal of the form (a u ) = 1*5(7") with a' s a product of prime ideals in 
S and 7 G K*. It follows that a u ^~ n G K* is an S-unit, so a u and therefore a is 
contained in U s ■ K* n . □ 

In the situation of 5.4, we see that K C L is a subextension of the Kummer 
extension K <Z N = K( \/Us) of degree 7i #s . We have to find the subgroup of 
Us/Ug corresponding to L. This amounts to a computation in linear algebra using 
the Artin map and the Kummer pairing. For ease of exposition, we assume that the 
set S we choose to satisfy 5.4 contains all primes dividing n. This implies that 
is the maximal abelian extension of exponent n of K that is unramified outside S. 

As we compute L as a subfield of the abelian extension K C A, we replace the 
modulus f of K C L by some multiple m that is an admissible modulus for K d N . 
Clearly m only needs to be divisible by the ramified primes in K C A, which are 
all in S. Wild ramification only occurs at primes p dividing n, and for these primes 
we can take ord p (m) equal to the bound given by 3.11. The ideal group modulo m 
corresponding to N is I™ ■ P m as A is the maximal exponent n extension of K of 
conductor m, and the Artin map for K C A is 

(5.5) 7 m — I m /(Q ■ P m ) = Cl m /CC G&\(N/K). 

The induced map I m — > Gal(L/AT) is the Artin map for K C L, which has the ideal 
group A m corresponding to L as its kernel. Let £/, C I m be a finite set of ideals of 
which the classes generate the Z/nZ-module A m /(7™ • P m ) = Gal(A/L). We then 
have to determine the subgroup Vl C Us consisting of those S'-units v G Us that 
have the property that y/v is left invariant by the Artin symbols of all ideals in Ex,, 
since the class field we are after is L = K( \/V£)- 

We are here in a situation to apply linear algebra over Z/nZ, as the Kummer 
pairing 5.1 tells us that the action of the Artin symbols ip N / K (a) of the ideals a G I m 
on the n-th roots of the S'-units is described by the pairing of Z/nZ- modules 

I J II X Us/US — (Cn> 

(a, «) ^ (^/K(a), u) = 

Making this computationally explicit amounts to computing the pairing for some 
choice of basis elements of the three modules involved. 

For (£ n ) we have the obvious Z/nZ-generator £ n , and I m /I^ is a free Z/nZ- 
module generated by the primes p G" S. If K is of moderate degree, the general 
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algorithm [23, Section 12] for computing units and class groups can be used to 
compute generators for Us, which then form a Z/nZ-basis for Us/Ug. In fact, 
finding s — 1 = #5 — 1 independent units in Us that generate a subgroup of 
index coprime to n is enough: together with a root of unity generating hk, these 
will generate Us/Ug. This is somewhat easier than finding actual generators for 
Us, as maximality modulo n-th powers is not difficult to establish for a subgroup 
U C Us having the right rank r = rank z / nZ (£/"). Indeed, each reduction modulo 
a small prime p ^ S provides a character U C Us — > &p/(^p) n — (Cn), the n-th 
power residue symbol at p. By finding r independent characters, one shows that 
the intersection of their kernels equals U n = U n L/g. 

For a prime p ^ 5 and u E Us, the definitions of the Kummer pairing and the 
Frobenius automorphism yield 

(Frobp, U) = ( W V-)Frob p -1 = u {Np-l)/n & fc * ^ 

with Np = #/c p the absolute norm of p. Thus (Frob p , it) is simply the power of ( n 
that is congruent to u^ Nv ~ 1 ^ n G k*. Even when p is large, this is not an expensive 
discrete logarithm problem in kt, since in practice the exponent n < [L : K] is 
small: one can simply check all powers of ( n G kt. As (£ n ) reduces injectively 
modulo primes p \ n, the n-root of unity (Frobp, it) can be recovered from its value 
in k*. 

From the values (Frob p , it), we compute all symbols (iPn/k(o-), u) by linearity. It 
is now a standard computation in linear algebra to find generators for the subgroup 
Vl/Us C Us/Ug that is annihilated by the ideals a G £_l under the pairing 5.6. This 
yields explicit generators for the Kummer extension L = K{ \fV£), and concludes 
the computation of L in the case where K contains Q n , with n the exponent of 
Gol(L/K). 

Case 2: K does not contain Q n . 

In this case L is not a Kummer extension of K, but V = L(Cn) is a Kummer 
extension of K' = K(( n ). 



L'= L(C n ) 




LDK' 



K 

In order to find generators of V over K' by the method of Case 1, we need to 'lift' 
the class field theoretic data from K to K' to describe V as a class field of K' . 
Lifting the modulus f = fofoo for K C L is easy: as K' is totally complex, f = foZ^-/ 
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is admissible for K' C V '. From the definition of the Frobenius automorphism, it is 
immediate that we have a commutative diagram 

Ik',v ^ Gsl(L'/K') 



N K'/K 



I K , f ^ Ga\(L/K). 



As the restriction map on the Galois groups is injective, we see that the inverse norm 
image N~}^ R Af C Ik',y is the ideal group of K' corresponding to the extension 

K' C L'. As N~}^ K Af contains Pk'J', computing this inverse image takes place 

inside the finite group C\.K',y, a ray class group for K' . 

We perform the algorithm from Case 1 for the extension K' C V in order to find 
generators of L' over K' . We are then working with (ray) class groups and S-units 
in K' rather than in K, and S has to satisfy 5.4.2 for CIk 1 - All this is only feasible if 
K' is of moderate degree, and this seriously restricts the values of n one can handle 
in practice. Our earlier observation that we may decompose If/Aj = Gel(L/K) into 
a product of cyclic groups of prime power order and generate L accordingly as a 
compositum of cyclic extensions of K is particularly relevant in this context, as it 
reduces our problem to a number of instances where K <Z Lis cyclic of prime power 
degree. Current implementations [10] deal with prime power values up to 20. 

We further assume for simplicity that we are indeed in the case where K C L 
is cyclic of prime power degree n, with K' = K(£ n ) ^ K. Suppose that, using the 
algorithm from Case 1, we have computed a Kummer generator 9 G V for which 
we have V = K'{6) = K(C, n ,6) and 9 n = a e K' . We then need to 'descend' 9 
efficiently to a generator r\ of L over K. If n is prime, one has L = K{rj) for the 
trace 



(5.8) V = T^l'/l(0). 

For prime powers this does not work in all cases. One can however replace 9 by 
9 + k( n for some small integer k G Z to ensure that 9 generates L' over K, and 
then general field theory tells us that the coefficients of the irreducible polynomial 

(5.9) f L = J] (X — t(9)) G L[X\ 

t€G&\(L'/L) 

of 9 over L generate L over K. As we took K C L to be cyclic of prime power degree, 
one of the coefficients is actually a generator, and in practice the trace works. In all 
cases, one needs an explicit description of the action of the Galois group Gal(L'/L) 
on 9 and ( n in order to compute the trace 5.8, and possibly other coefficients of f d L 
in 5.9. Finally, if we have L = K(rj), we need the action of Gsl{L/K) on r\ in order 
to write down the generating polynomial 

fK= II (X - a( V )) e K[X] 

aeG&\(L/K) 
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for K C L that we are after. 

As before, the Artin map gives us complete control over the action of the abelian 
Galois group Gal(L' / K) on V = K(( n ,9), provided that we describe the elements 
of Gal(Z/ / K) as Artin symbols. We let m be an admissible modulus for K C L'; the 
least common multiple of Sl/k an d n-Y[ p real P * s an obvious choice for m. All we need 
to know is the explicit action of the Frobenius automorphism Frobp G Gal(L'/K) 
of a prime p \ m of K on the generators ( n and 9 of V over K. Note that p does 
not divide n, and that we may assume that ct = 9 n is a unit at p. 

The cyclotomic action of Frobp G Gal(L' / K) is given by Frobp (£ n ) = Cn p i with 
Np = #k p the absolute norm of p. This provides us with the Galois action on K' , 
and yields canonical isomorphisms 

Gal(K'/K) = im[iV K/Q : I m — (Z/nZ)*], 
Gal(K'/(L n K')) = im[iV K/Q : A m — > (Z/nZ)*]. 

In order to understand the action of Frobp on 6* = we first observe that 

K C L' = K'{9) can only be abelian if a is in the cyclotomic eigenspace of (K')* 
modulo n-th powers under the action of Gdl(K'/K). More precisely, applying 5.2 
for K' C L' with r = Frobp, we have Frobp -a ■ Frobp -1 = a as Gal(L'/if) is abelian, 
and therefore 

(a,Frob p (a)> = (a,a) Frob > = (a,^ = (a,^) 
for all o G Gal(L' /K'). By 5.3, we conclude that we have 
(5.10) Frobp (a) = a Np • 7p n 

for some element 7 P G -ftT'. As we know how Frobp acts on a G K' = K(( n ), we 
can compute 7p by extracting some n-th root of Frobp (a)a~ Np in K' . The element 
7p is only determined up to multiplication by n-th roots of unity by 5.10. As we 
took a to be a unit at p, we have 7^ = 1 mod p by definition of the Frobenius 
automorphism, so there is a unique element 7 P = 1 mod p satisfying 5.10. With 
this choice of 7 p, we have 

Frobp (9) = 9 N * - 7 p 

as the n-th powers of both quantities are the same by 5.10, and they are congru- 
ent modulo p. This provides us with the explicit Galois action of Frobp on 9 for 
unramified primes p. 

The description of the Galois action on 9 and ( n in terms of Frobenius symbols 
is all we need. The Galois group Gal(L'/L) = Gal(K'/(L n K')), which we may 
identify with the subgroup Nx/Q(A m ) of (Z/nZ)*, is either cyclic or, in case n is 
a power of 2, generated by 2 elements. Picking one or two primes p in A m with 
norms in suitable residue classes modulo n is all it takes to generate Gal(L'/L) 
by Frobenius automorphisms, and we can use these elements to descend 9 to a 
generator 77 for L over K. We also control the Galois action of Gal(L/K) = I m /A m 
on 77, and this makes it possible to compute the irreducible polynomial for the 
generator 77 of L over K. 
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6. Class fields arising from complex multiplication 

As we observed in Example 2.6.1, the ray class fields over the rational number 
field Q are the cyclotomic fields. For these fields, we have explicit generators over 
Q that arise 'naturally' as the values of the analytic function q : x i— > e 2nix on the 
unique archimedean completion R of Q. The function q is periodic modulo the ring 
of integers Z C R of Q, and it induces an isomorphism 

R/Z = {z eC: zz = l} cC 

x i — ► q(x) = e 

between the quotient group R/Z and the 'circle group' T of complex numbers of 
absolute value 1. The Kronecker- Weber theorem 1.1 states that the values of the 
analytic function q at the points of the torsion subgroup Q/Z C R/Z generate 
the maximal abelian extension Q a b of Q. More precisely, the q- values at the m- 
torsion subgroup t^Z/Z of R/Z generate the m-th cyclotomic field Q(Cm)- Under 
this parametrization of roots of unity by Q/Z, the Galois action on the m-torsion 
values comes from multiplications on ^-Z/Z by integers a E Z coprime to m, giving 
rise to the Galois group 

(6.2) Gal(Q(Cm)/Q) = Aut(£Z/Z) = (Z/mZ)* 

from 1.2. Taking the projective limit over all m, one obtains the identification of 
Gal(Q a b/Q) with Aut(Q/Z) = Z* from 3.1, and we saw in 3.8 that the relation 
with the Artin isomorphism is given by the commutative diagram 3.9. To stress the 
analogy with the complex multiplication case, we rewrite 3.9 as 



Z* Z*= A^/(Q* -R >0 ) 

(6.3) can l Artin 

Aut(Q/Z) Gal(Q ab /Q), 

where "—1" denotes inversion on Z*. 

From now on, we take K to be an imaginary quadratic field. Then K has a 
single archimedean completion K — > C, and much of what we said for the analytic 
function q on R/Z has an analogue for the quotient group C/Zk- In complete 
analogy, we will define an analytic function fx '■ C/Zk — > P X (C) in 6.14 with 
the property that its finite values at the m-torsion subgroup —Zk/Zk of C/Zk 
generate the ray class field H m of K of conductor mZ^. However, to define this 
elliptic function fx on the complex elliptic curve C/Zk, we need an algebraic 
description of C/Zk, which exists over an extension of K that is usually larger 
than K itself. The Hilbert class field H = Hi of K from 2.6.2 is the smallest 
extension of K that one can use, and the torsion values of fx generate class fields 
over H. This makes the construction of H itself into an important preliminary step 
that does not occur over Q, as Q is its own Hilbert class field. 



18 



HENRI COHEN AND PETER STEVENHAGEN 



In this section, we give the classical algorithms for constructing the extensions 
K C H and H C H m . The next section provides some theoretical background and 
different views on complex multiplication. Our final section 8 shows how such views 
lead to algorithmic improvements. 

Complex multiplication starts with the fundamental observation [21, Chapter VI] 
that for every lattice A C C, the complex torus C/A admits a meromorphic func- 
tion, the Weierstrass p-function 

p A :z^z~ 2 + Eo,6A\{0}[(^ - u )~ 2 ~ w ~ 2 ]> 

that has period lattice A and is holomorphic except for double poles at the points 
of A. The corresponding Weierstrass map 

W : C/A — > E A C P 2 (C) 

z i — ► [paO) : Pa(z) : 1] 

is a complex analytic isomorphism between the torus C/A and the complex elliptic 
curve Ea C P 2 (C) defined by the affine Weierstrass equation 

y 2 = 4x 3 - g 2 (A)x - g 3 (A). 

The Weierstrass coefficients 



(6.4) 



# 2 (A)=60 E 

weA\{o} 



u~ A and (A) = 140 £ u 

ueA\{o} 



of E\ are the Eisenstein series of weight 4 and 6 for the lattice A. The natural 
addition on C/A translates into an algebraic group structure on E\(C) sometimes 
referred to as 'chord and tangent addition'. On the Weierstrass model E\, the point 
O = [0 : 1 : 0] = W(0 mod A) at infinity is the zero point, and any line in P 2 (C) 
intersects the curve E\ in 3 points, counting multiplicities, that have sum O. 

All complex analytic maps C/Ai — > C/A 2 fixing the zero point are multiplica- 
tions z i— > Xz with A G C satisfying AAi C A 2 . These are clearly group homomor- 
phisms, and in the commutative diagram 



C/Aj 



C/A 5 



(6.5) 



w 2 



Ea 2 



the corresponding maps <p\ : E Al — > E^ 2 between algebraic curves are known as 
isogenies. For A ^ 0, the isogeny is a finite algebraic map of degree [A 2 : AAi], 
and E Al and E\ 2 are isomorphic as complex algebraic curves if and only if we have 
AAi = A 2 for some A G C. The isogenies E\ — > E\ form the endomorphism ring 



(6.6) 



End(E A ) ^ {A G C : AA c A} 
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of the curve E\, which we can view as a discrete subring of C. The A- value of 
the analytically defined endomorphism 'multiplication by A e C is reflected al- 
gebraically as a true multiplication by A of the invariant differential dx/y on E\ 
coming from dz = d{p\)/p' K . If End(i?A) is strictly larger than Z, it is a complex 
quadratic order O and E\ is said to have complex multiplication (CM) by O. 

In order to generate the class fields of our imaginary quadratic field K, we employ 
an elliptic curve E\ having CM by Zk- Such a curve can be obtained by taking A 
equal to Zk, or to a fractional Z^-ideal a, but the Weierstrass coefficients 6.4 for 
A = a will not in general be algebraic. 

In order to find an algebraic model for the complex curve E\, we scale A to a 
homothetic lattice AA to obtain a C-isomorphic model 

E\a : y 2 = 4r 3 - \- 4 g 2 (A)x - \- 6 g 3 (A) 

under the Weierstrass map. The discriminant A = g\ — 27 g\ of the Weierstrass 
polynomial 4x 3 — g 2 x — gs does not vanish, and the lattice function 

A(A) = £ 2 (A) 3 - 27s 3 (A) 2 

is of weight 12: it satisfies A(AA) = A _12 A(A). Thus, the j-invariant 

(6.7) j(A) = 1728^ = 1728. ^ 



A(A) £ 2 (A)3-27s 3 (A) 2 

is of weight zero, and an invariant of the homothety class of A or, equivalently, the 
isomorphism class of the complex elliptic curve C/A. It generates the minimal field 
of definition over which C/A admits a Weierstrass model. 

If E]y has CM by Z^, then A is homothetic to some Z^-ideal a. It follows that, 
up to isomorphism, there are only finitely many complex elliptic curves E\ having 
CM by Z K , one for each ideal class in Cl^- As any automorphism of C maps the 
algebraic curve E\ to an elliptic curve with the same endomorphism ring, we find 
that the j-invariants of the ideal classes of form a set of Hk = #C1^ distinct 
algebraic numbers permuted by the abolute Galois group Gq of Q. This allows us 
to define the Hilbert class polynomial of K as 

(6.8) HhV(X)= J] (X-j(a))eQ[X}. 

[a]ec\ K 

Its importance stems from the following theorem, traditionally referred to as the 
first main theorem of complex multiplication. 

6.9. Theorem. The Hilbert class field H of K is the splitting field of the polynomial 
Hil^(A A ) over K . This polynomial is irreducible in K[X], and the Galois action of 
the Artin symbol a c = ^>h/k( c ) of the ideal class [c] G Cl^ = Gal(H/K) on the 
roots j (a) o/HhVpO is given by 

j(ay< = jiac- 1 ). 
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To compute Hil^(X) from its definition 6.8, one compiles a list of Z^-ideal classes 
in the style of Gauss, who did this in terms of binary quadratic forms. Every Zk- 
ideal class [a] has a representative of the form Zr + Z, with r G K a root of some 
irreducible polynomial aX 2 + bX + c G Z[X] of discriminant b 2 — Aac = Ak/q. If 
we take for r the root in the complex upper half plane H, the orbit of r under the 
natural action 

fa [3\ az + P_ 

\ 7 ^ / <yz + 5 

of the modular group SL 2 (Z) on H is uniquely determined by [a] G CIk- In this 
orbit, there is a unique element 

-b + \Jb 2 - Aac 
T « = 2a GH 

that lies in the standard fundamental domain for the action of SL 2 (Z) on H con- 
sisting of those z G H that satisfy the two inequalities |Re(z)| < \ and z~z > 1 and, 
in case we have equality in either of them, also Re (2) < 0. This yields a description 

[a] = [Z • -ft+V^-4ac + z] M (a) ^ c) 

of the elements of Cl^ as reduced integer triples (a, 6, c) of discriminant b 2 — Aac = 
A k /q. As we have Re(r a ) = — ^ and r a r Q = ^, the reduced integer triples (a, 6, c) 
corresponding to r a in the fundamental domain for SL 2 (Z) are those satisfying 

\b\ < a < c and b 2 — Aac = A k /q, 

where b is non-negative in case we have \b\ = a or a = c. For reduced forms, 
one sees from the inequality A k /q = b 2 — Aac < a 2 — Aa 2 = —3a 2 that we have 
\b\ < a < yj\ A^/qI/3, so the list is indeed finite, and can easily be generated [6, 
Algorithm 5.3.5]. See [8] for the classical interpretation of the triples (a, 6, c) as 
positive definite integral binary quadratic forms aX 2 + bXY + cY 2 of discriminant 
b 2 - Aac = A K/Q . 

If we put j( r ) = j(Zr + Z), the j-function 6.7 becomes a holomorphic function 
j : H — > C invariant under the action of SL 2 (Z). As it is in particular invariant 
under r 1— > r + 1, it can be expressed in various ways in terms of the variable 
q = e 2lTlT from 6.1. Among them is the well-known integral Fourier expansion 

(6.10) j{r) = j(q) = q- 1 + 744 + 196884o + . . . G q' 1 + Z[[q]] 

that explains the normalizing factor 1728 in the definition 6.7 of j. It implies [14, 
Chapter 5, §2] that the roots of HiIk(X) in 6.8 are algebraic integers, so HHk(X) is 
a polynomial in Z[X] that can be computed exactly from complex approximations 
of its roots that are sufficiently accurate to yield the right hand side of 6.8 in C[X] 
to 'one-digit precision'. For numerical computations of j(r), one uses approximate 
values of the Dedekind ry-function 

(6.11) V (r) = (1 - q n ) = q^^-^^'^ 

n>l neZ 
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which has a lacunary Fourier expansion that is better suited for numerical purposes 
than 6.10. From ^-values one computes fair) = V / 2?7(2t)/?7(t), and finally j(r) as 

(6 , 2) j(T) = (i!M±i5£ 



fl 4 w 

This finishes the description of the classical algorithm to compute the Hilbert class 
field H of K. 

Having computed the irreducible polynomial Hil^(X) of jx = i(Zx), we can write 
down a Weierstrass model E K for C/Z K over H = K(j K ) (or even over Q(jx)) 
and use it to generate the ray class field extensions H C H m . Choosing Ex is easy 
in the special cases K = Q(Cs), Q(*)> when one of gi = Qi^Lk) and gs = ^(Z^) 
vanishes and the other can be scaled to have any non-zero rational value. For 
K 7^ Q(C3)>Q(*)> the number A = yfg^fgi G C* is determined up to sign, and 
since we have 

= A g 2 = A D # 3 = 0|03 = 27- — — , 

JK — i-'^O 

the Weierstrass model y 2 = 4x s — ckx — ck for C/XZk is defined over Q(jV) C if. 
A more classical choice is A 2 = A/(<7 2 <73), with g 25 <73 and A associated to Z K: 
giving rise to the model 

(6.13) Ek y 2 = wk{x), where wk(x) = 4x 3 — - — 



(ck-27) 2 {cK-nf 

Any scaled Weierstrass parametrization Wk '■ C/Zk Ek with Ek defined over 
H can serve as the imaginary quadratic analogue of the isomorphism q : R/Z — > T 
in 6.1. For the model Ek in 6.13, the x-coordinate p\z K (^z) = X~ 2 pz K (z) of 
Wk{z) is given by the Weber function 

(a-\A\ f ( \ 92^k)9z^k) 

(6-14) f K (z) = X(Zk) PZk ^ z >- 

It has 'weight 0' in the sense that the right hand side is invariant under simultaneous 
scaling (Zx, z) — > (AZ^, \z) of the lattice Zx and the argument z by A G C*. 

In the special cases K = Q(i) and Q(Cs) that have Z^ of order 4 and 6, there are 
slightly different Weber functions fx that are not the ^-coordinates on a Weierstrass 
model for C/Zk over H, but an appropriately scaled square and cube of such a> 
coordinates, respectively. In all cases, the analogue of the Kronecker- Weber theorem 
for K is the following second main theorem of complex multiplication. 

6.15. Theorem. The ray class field H m of conductor mZx of K is generated over 
the Hilbert class field H of K by the values of the Weber function fK at the non-zero 
m-torsion points of C/Zx- 

In the non-special cases, the values of fx at the m-torsion points of C/Zk are the 
^-coordinates of the non-zero m-torsion points of the elliptic curve Ex in 6.13. For 
K = Q(i) and Q(Cs), one uses squares and cubes of these coordinates. In all cases, 
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generating H m over H essentially amounts to computing division polynomials T m G 
C[X] that have these ^-coordinates as their roots. We will define these polynomials 
as elements of H[x], as the recursion formulas at the end of this section show that 
their coefficients are elements of the ring generated over Z by the coefficients of the 
Weierstrass model of Ek- 

If m is odd, the non-zero m-torsion points come in pairs {P, —P} with the same 
^-coordinate xp = X-p, and we can define a polynomial T m (x) G H[x] of degree 
(m 2 — l)/2 up to sign by 

T m (x) 2 = m 2 ]| (x-xp). 

PEE K [m](C) 

For even m, we adapt the definition by excluding the 2-torsion points satisfying 
P = -P from the product, and define T m (X) G H[x] of degree (m 2 - 4)/2 by 

T m (x) 2 = (m/2) 2 J] (x-xp). 

The 'missing' ^-coordinates of the non-zero 2-torsion points are the zeroes of the 
cubic polynomial wk G H[x] in 6.13. This is a square in the function field of the 
elliptic curve 6.13, and in many ways the natural object to consider is the 'division 
polynomial' 

f T m (x) if m is odd; 
ip m {x, y) = \ 

l 2yT m (x) if m is even. 

This is an element of the function field C(x,y) living in the quadratic extension 
H[x,y] of the polynomial ring H[x] defined by y 2 = wk(x). It is uniquely defined 
up to the sign choice we have for T m . Most modern texts take the sign of the highest 
coefficient of T m equal to 1. Weber [28, p. 197] takes it equal to (— l) m_1 , which 
amounts to a sign change y i— > — y in ip m (x, y). 

By construction, the function ip m has divisor (1 — m 2 ) [O] +J2p^o mP=o\.^- ^ ne 
normalizing highest coefficients m and m/2 in T m lead to neat recursive formulas 

V>2m+1 = ^ m +2^m ~ V'm+lV'm-l, 

^2m = (2y)~Vm(V'm+2V'm-l ~ ^m+l^m^) 

for ifj m that are valid for m > 1 and m > 2. These can be used to compute tfj m 
and T m recursively, using 'repeated doubling' of m. One needs the initial values 
Ti = T 2 = 1 and 

T 3 = 3X 4 + 6aX 2 + YlbX - a 2 , 

T 4 = 2X 6 + 10aX 4 + 406X 3 - 10a 2 X 2 - 8abX - 16b 2 - 2a 3 , 

where we have written the Weierstrass polynomial in 6.13 as wk = 4(x 3 + ax + b) to 
indicate the relation with the nowadays more common affine model y 2 = x 3 + ax + b 
to which Ek is isomorphic under (x,y) i— > (x,y/2). 
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7. Class fields from modular functions 

The algorithms in the previous section are based on the main theorems 6.9 and 6.15 
of complex multiplication. These can be found already in Weber's 1908 textbook 
[28], so they predate the class field theory for general number fields. The oldest 
proofs of 6.9 and 6.15 are of an analytic nature, and derive arithmetic information 
from congruence properties of Fourier expansions such as 6.10. Assuming general 
class field theory, one can shorten these proofs as it suffices, just as after 2.2, to 
show that, up to sets of primes of zero density, the 'right' primes split completely in 
the purported class fields. In particular, it is always possible to restrict attention to 
the primes of K of residue degree one in such arguments. Deuring provides analytic 
proofs of both kinds in his survey monograph [9] . 

Later proofs [14, Part 2] of Deuring and Shimura combine class field theory 
with the reduction of the endomorphisms in 6.6 modulo primes, which yields en- 
domorphisms of elliptic curves over finite fields. These proofs are firmly rooted in 
the algebraic theory of elliptic curves [21]. Here one takes for E\ in 6.6 an ellip- 
tic curve E that has CM by and is given by a Weierstrass equation over the 
splitting field H' over K of the Hilbert class polynomial Hil^(A A ) in 6.8. In this 
case the Weierstrass equation can be considered modulo any prime q of H' , and 
for almost all primes, known as the primes of good reduction, this yields an elliptic 
curve E q = (E mod q) over the finite field k q = Z#/ / q. For such q, the choice of an 
extension of q to Q yields a reduction homomorphism Ek{Q,) — > E q (k q ) on points 
that is injective on torsion points of order coprime to q. The endomorphisms of E 
are given by rational functions with coefficients in H' , and for primes q of H' of 
good reduction there is a natural reduction homomorphism 

End(£) -> End(£ q ) 

that is injective and preserves degrees. The 'complex multiplication' by an element 
a E End(-E') = Zk multiplies the invariant differential dx/y on E by a, so it 
becomes inseparable in End(-E'q) if and only if q divides a. The first main theorem 
of complex multiplication 6.9, which states that H' equals the Hilbert class field H 
of K and provides the Galois action on the roots of Hil^(X), can now be derived 
as follows. 

Proof of 6.9. Let p be a prime of degree one of K that is coprime to the dis- 
criminant of Hilx(X), and a G an element of order 1 at p, say ctp -1 = b 
with (b,p) = 1. Let a be a fractional Z^-ideal. Then the complex multiplication 
a : C/a ^ C/a factors in terms of complex tori as 

C/a ^ C/op" 1 C/ab ^ C/a. 

a 

If E and E' denote Weierstrass models over H' for C/a and C/ap -1 , we obtain 
isogenies E — > E' — > E of degree p = Np and Nb with composition a. If we assume 
that E and E' have good reduction above p, we can reduce the isogeny E — > E' at 
some prime q|p to obtain an isogeny E q — >• E' q of degree p. This isogeny is inseparable 

(p) 

as a lies in q, and therefore equal to the Frobenius morphism E q — > E\ followed 
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by an isomorphism E q p E' . The resulting equality j(E q p> ) = j(E' q ) of j- 

invariants amounts to j(a) p = j(ap~ 1 ) mod q, and this implies that the Frobenius 
automorphism cr q G Gal{H' / K) acts as j(a) a * = j(ap _1 ), independently of the 
choice of the extension prime q|p. As the j-function is an invariant for the homothety 
class of a lattice, we have j(a) = j(ap~ 1 ) if and only if p is principal. It follows that 
up to finitely many exceptions, the primes p of degree one splitting completely in 
K C H' are the principal primes, so H' equals the Hilbert class field H of K, and 
the splitting primes in K C H are exactly the principal primes. Moreover, we have 
j(a) <Tc = j(ac _1 ) for the action of the Artin symbol cr c , and Hil^ is irreducible over 
K as its roots are transitively permuted by Qdl(H/K) = C\k- □ 

In a similar way, one can understand the content of the second main theorem of 
complex multiplication. If Ek is a Weierstrass model for C/Zk defined over the 
Hilbert class field H of K, then the torsion points in Ek(C) have algebraic coordi- 
nates. As the group law is given by algebraic formulas over H, the absolute Galois 
group Gh of H acts by group automorphisms on £^ r (C) = K/Z K . Moreover, the 
action of Gh commutes with the complex multiplication action of End(-Eft-) — Z^, 
which is given by isogenies defined over H. It follows that Gh acts by Z^-module 
automorphisms on £^ r (C). For the cyclic Z^-module E K [m](C) = -^Z K /Z K of 
m-torsion points, the resulting Galois representation 

G H — > Aut ZK (^Z^/Z^) = (Z K /mZ K )* 

of Gh is therefore abelian. It shows that, just as in the cyclotomic case 6.2, the 
Galois action over H on the m- division field of Ek, which is the extension of H 
generated by the m-torsion points of Ek, comes from multiplications on ^-Zx/Zr- 
by integers a G Zk coprime to m. The content of 6.15 is that, in line with 2.8, we 
obtain the m-th ray class field of K from this m-division field by taking invariants 
under the action of Z* K = Aut(E K ). In the 'generic case' where Z* K — {±1} has 
order 2, adjoining m-torsion points 'up to inversion' amounts to the equality 

(7.1) H m = H({x P : P G E K [m](C), P ^ O}) 

occurring in 6.15, since the ^-coordinate xp determines P up to multiplication by 
±1. More generally, a root of unity ( G Z* K acts as an automorphism of Ek by 
X [C]P = (~ 2x Pi so m the special cases where K equals Q(i) or Q(Cs) and Z* K has 
order 2k with k = 2, 3, one replaces xp by x P in 7.1. The classical Weber functions 
replacing 6.14 for K = Q(i) and K = Q(C 3 ) are f K (z) = (gl(Z K )/A(Z K ))p 2 ZK (z) 
and f K (z) = (g 3 (Z K )/A(Z K ))pl K (z). 

Proof of 6.15. As in the case of 6.9, we show that the primes of degree one of 
K that split completely in the extension K C H' m defined by adjoining to H the 
m-torsion points of Ek 'up to automorphisms' are, up to a zero density subset of 
primes, the primes in the ray group R m . Primes p of K splitting in H' m are principal 
as they split in H. For each Z^-generator tt of p, which is uniquely determined up to 
multiplication by Z* K , one obtains a complex multiplication by tt G Zk — End(-EV) 
that fixes Ejc[m](C) 'up to automorphisms' if and only if we have p G R m . 
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Let p = ttZk be a prime of degree 1 over p for which Ek has good reduction 
modulo p. Then the isogeny (p n : Ek — > -Ek, which corresponds to multiplication 
by 7T as in 6.5, reduces modulo a prime q|p of the m-division field of Ek to an 
endomorphism of degree p. As n is in q, this reduction is inseparable, so it equals 
the Frobenius endomorphism of Ex,q up to an automorphism. One shows [14, p. 
125] that this local automorphism of Ex,q is induced by a global automorphism of 
Ek, i-e., a complex multiplication by a unit in Z K , and concludes that (f) n induces 
a Frobenius automorphism above p on H' m . As the reduction modulo q induces an 
isomorphism [m] EK,q[m] on the m-torsion points, this Frobenius automor- 
phism is trivial if and only if we have tt = 1 mod* mZ^ for a suitable choice of 7r. 
Thus, p splits completely in H' m if and only if p is in R m , and H' m is the ray class 
field H m . □ 

The argument just given shows that we have a concrete realization of the Artin 
isomorphism (Z K /mZ K )* /im[Z* K ] ^> G&l(H m /H) from 2.8 by complex multipli- 
cations. Passing to the projective limit, this yields the analogue 



Z K /Z 



ab 



K 



Gal(iW# ) C Gf 



of 3.1. For the analogue of 6.3, we note first that for imaginary quadratic K, the 
subgroup Uqo in 3.3, which equals C*, maps isomorphically to the connected com- 
ponent of the unit element in A* K / K* . As it is the kernel of the Artin map ipK in 
3.7, we obtain a commutative diagram 



-l 



J K 



Z* K /Z* K c A* K /(K*-C*) 



(7.2) 



Aut ZK (K/Z K ) 



Artin 



Gal(iW#) C Gal(X ab /X) 



in which the inversion map "—1" arises just as in 3.9. A slight difference with the 
diagram 6.3 for Q is that the horizontal arrows now have a small finite kernel coming 
from the unit group Z* K . Moreover, we have only accounted for the automorphisms 
of .Kab over H, not over K. Automorphisms of H m that are not the identity on H 
arise as Artin maps a c of non-principal ideals c coprime to m, and the proof of 6.9 
shows that for the isogeny C in the commutative diagram 



C/Z K 



(7.3) 



w 



E 



C/c 



W 



K 



E' 



Ki 



we have to compute the restriction <j) c : E K [m] — > E' K [m] to m-torsion points. To 
do so in an efficient way, we view the j-values and ^-coordinates of torsion points 
involved as weight zero functions on complex lattices such as or c. As we may 
scale all lattices as we did for 6.10 to Zr + Z with r G H, such functions are modular 
functions H — > C as defined in [14, Chapter 6]. 
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The j-function itself is the primordial modular function: a holomorphic function 
on H that is invariant under the full modular group SL,2(Z). Every meromorphic 
function on H that is invariant under SL2(Z) and, when viewed as a function of 
q = e 27rrr , meromorphic in q = 0, is in fact a rational function of j. The Weber 
function fx in 6.14 is a function 

, / \ 92(r)g 3 (r) 

fr( Z ) = A(r) P[r,l](z) 

that depends on the lattice Zk = Zr + Z = [r, 1], and fixing some choice of a 
generator r of over Z, we can label its m-torsion values used in generating H m 

as 

(7.4) F u {r) = f T (u 1 r + u 2 ) with u = (u u u 2 ) G -Z 2 /Z 2 \ {(0, 0)}. 

rn 

For m > 1, the functions F u : H — > C in 7.4 are known as the Fricke functions of 
level m. These are holomorphic functions on H that are ^-coordinates of m-torsion 
points on a 'generic elliptic curve' over Q(j) with j-invariant j. As they are zeroes 
of division polynomials in Q(j)[X], they are algebraic over Q(j) and generate a 
finite algebraic extension of Q(j), the m-th modular function field 

(^•5) T m = Q(j, {-F«} u6 (_lz/z) 2 \{(o,o)})- 

Note that we have T\ = Q(j) in 7.5. We may now rephrase the main theorems of 
complex multiplication in the following way. 

7.6. Theorem. Let K be an imaginary quadratic field with ring of integers Z[r]. 
Then the m-th ray class field extension K C H m is generated by the finite values 
/(r) of the functions f e .F m . 

For generic i^T this is a directly clear from 6.9 and 6.15, in the special cases K = 
Q(*)> Q(Cs) the functions F u (r) in 7.4 vanish at the generator r of Z^, so an extra 
argument [14, p. 128] involving modified Weber functions in T m is needed. 

It is not really necessary to take r in 7.6 to be a generator of Z K ; it suffices that 
the elliptic curve C/[r, 1] is an elliptic curve having CM by Z K . 

For computations, it is essential to have the explicit Galois action of Gal(K a ^/ K) 
on the values /(r) from 7.6 for arbitrary functions / in the modular function field 
F = U m >iJF m . As class field theory gives us the group Gal(K ah /K) in 7.2 as an 
explicit quotient of the idele class group A* K /K* under the Artin map 3.7, this 
means that we need to find the natural action of x G A* K on the values f(r) in 7.6. 
We will do so by reinterpreting the action of the Artin symbol o~ x G Gal(X a b/if) 
on the function value of / at r as the value of some other modular function /^( x ) 
at r, i.e., 

(7.7) (/to)*" 

for some natural homomorphism g T : A* K — > Aut(J 7 ) induced by r. 
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To understand the automorphisms of T, we note first that the natural left action 
of SL 2 (Z) on H gives rise to a right action on T m that is easily made explicit for the 
Fricke functions 7.4, using the 'weight 0' property of f K . For M = (" f ) e SL 2 (Z) 
we have 

F u (Mr) = F u (^|) = ^PM](«i(«r + 0) + u 2 ( 7 t + 5)) 

= F uM (t). 

As u = (ui,U2) is in — Z 2 /Z 2 , we only need to know M modulo to, so the Fricke 
functions of level to are invariant under the congruence subgroup 

r(m) = ker[SL 2 (Z) -> SL 2 (Z/mZ)] 

of SL 2 (Z), and they are permuted by SL 2 (Z). As we have F_ Ul _ U2 = F UljU2 , we 
obtain a natural right action of SL 2 (Z/toZ)/{±1} on jF m . 

In addition to this 'geometric action', there is a cyclotomic action of (Z/toZ)* 
on the functions / G T m via their Fourier expansions, which lie in Q(Cm)((? 1/m )) 
as they involve rational expansions in 

e 2m( ai T+a 2 )/m = ^ q % for ^ ^ £ % 

On the Fricke function F u = F( UljU2 ^, the automorphism o~k : Q m i— > Cm clearly 
induces cr^ : -F( UljU2 ) i— > F( Uljkll2 y Thus, the two actions may be combined to obtain 
an action of GL 2 (Z/toZ)/{±1} on jF m , with SL 2 (Z/mZ)/{±l} acting geometrically 
and (Z/toZ)* acting as the subgroup {i(J °) : k e (Z/toZ)*}/{±1}. The invariant 
functions are SL 2 (Z) -invariant with rational (/-expansion, so they lie in Q(j) and 
we have a natural isomorphism 

(7.8) GL 2 (Z/mZ)/{±l} Gal(^ m /Q(j)) 

or, if we take the union T = U m jF m on the left hand side and the corresponding 
projective limit on the right hand side, 

(7.9) GL 2 (Z)/{±1} Gal(^/Q(j)). 

Note that T m contains Q(Cm)O') as the invariant field of SL 2 (Z/mZ)/{±l}, and 
that the action on the subextension Q(j) C Q a b(j) with group Gal(Q a b/Q) = Z* 
is via the determinant map det : GL 2 (Z)/{±1} — > Z*. 

In order to discover the explicit form of the homomorphism g T in 7.7, let p = nZx 
be a principal prime of K. Then the Artin symbol cr p is the identity on H, and the 
proof of 6.15 shows that its action on the ^-coordinates of the m-torsion points of 
Ek for to not divisible by n can be written as 

F u (r) a » =F u (tvt) =F uM M, 
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where M ff is the matrix in GL 2 (Z/mZ) that represents the multiplication by n on 
■^Zk/Zk with respect to the basis {r, 1}. In explicit coordinates, this means that 
if t £ H is a zero of the polynomial X 2 + BX + C of discriminant B 2 — AC = 
and 7r = x\T + %2 is the representation of it on the Z-basis [r, 1] of Z^, then we 
have 

(7.10) M n = ^ ~ BX ^ X2 ~° x Xl ) e GL 2 (Z/mZ). 

As the Fricke functions of level m generate jF m , we obtain in view of 7.8 the identity 
f{j y P = f M^ r) for f e Tm and m? 

which is indeed of the form 7.7. We can rewrite this in the style of the diagram 
7.2 by observing that the Artin symbol of n £ K* C A^- acts as a p on torsion 
points of order m coprime to p, and trivially on 7r-power torsion points. Moreover, 
(tt mod K*) £ Ak/K* is in the class of the idele x £ Z* K having component 1 at p 
and 7T _1 elsewhere. Thus, if we define 

9r : Z* K — > GL 2 (Z) 

(7.11) 

x\ — > M, 



X 



by sending x = x\t + xi £ Zk to the inverse of the matrix M x describing multi- 
plication by x on Z K with respect to the basis [r, 1] , then M x is given explicitly as 
in 7.10, and formula 7.7 holds for f £ T and x £ Z* K if we use the natural action 
of GL 2 (Z) on T from 7.9. 

To obtain complex multiplication by arbitrary ideles, we note that on the one 
hand, the idele class quotient A* K /(K* • C*) from 7.2, which is isomorphic to 
Gal(K a b/-ftT) under the Artin map, is the quotient of the unit group K* of the 
finite adele ring 

K = Z K ® z Q = TT K p C A K = K x C 

J-J-p finite 

by the subgroup K* C K* of principal ideles. On the other hand, not all automor- 
phisms of T come from GL 2 (Z) as in 7.9: there is also an action of the projective 
linear group PGL 2 (Q) + = GL 2 (Q) + /Q* of rational matrices of positive determi- 
nant, which naturally act on H by linear fractional transformations. It does not 
fix j, as it maps the elliptic curve C/[r, 1] defined by r £ H not to an isomorphic, 
but to an isogenous curve. More precisely, if we pick M = ^) £ GL 2 (Q)+ in its 
residue class modulo Q* such that M -1 has integral coefficients, then the lattice 

(TT + 6)-i[T, 1] = ^] = M-i[Hi±? , 1] 

is a sublattice of finite index detM -1 in [^^§ , 1], and putting fi = (7T + 5) _1 , we 
have a commutative diagram 

C/[r,l] C/[Mr,l]=C/[^±f,l] 
w 1 w' 

£/ r > JiMr 
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as in 7.3. Moreover, the torsion point U\T + u 2 having coordinates u = (u\, -u 2 ) with 
respect to [r, 1] is mapped to the torsion point with coordinates uM~ x with respect 
to the basis [Mr, 1]. 

We let Q = Z(g>z Q = Y[' p Qp be the ring of finite Q-ideles. Then every element in 
the ring GL 2 (Q) can be written as UM with U G GL 2 (Z) and M G GL 2 (Q) + . This 
representation is not unique as GL 2 (Z) and GL 2 (Q) + have non-trivial intersection 
SL 2 (Z), but we obtain a well-defined action GL 2 (Q) — > Aut(jF) by putting 

f UM (T) = f u (Mr). 

We now extend, for the zero r G H of a polynomial X 2 + BX + C G Q[-X"], the 
map g T in 7.11 to 

S T :iT = (Qr + Q)*^GL 2 (Q) 
( 7 - 12 ) , M -i f-B Xl +x 2 -Cx^ 

X = X\T + X2 I > M_ = 

X \ X! X 2 

to obtain the complete Galois action of Gal(K a \j/ K) = K* /K* on modular function 
values /(t). The result obtained is known as Shimura's reciprocity law. 

7.13. Theorem. Let t G H be imaginary quadratic, f G T a modular function 
that is finite at r and x G K* / K* a finite idele for K = Q(r). Then /(r) is abelian 
over K , and the idele x acts on it via its Artin symbol by 

f(r) x = f 9Ax \r), 

where g T is defined as in 7.12. 

8. Class invariants 

Much work has gone into algorithmic improvements of the classical algorithms in 
section 6, with the aim of reducing the size of the class polynomials obtained. 
Clearly the degree of the polynomials involved cannot be lowered, as these are the 
degrees of the field extensions one wants to compute. There are however methods 
to reduce the size of their coefficients. These already go back to Weber [28], who 
made extensive use of 'smaller' functions than j to compute class fields in his 1908 
algebra textbook. The function f 2 that we used to compute j in 6.12, and that carries 
Weber's name (as does the elliptic function in 6.14) provides a good example. A 
small field such as K = Q(V _ 71), for which the class group of order 7 is easily 
computed by hand, already has the sizable Hilbert class polynomial 

m\ K (X) = X 7 + 313645809715 X 6 - 3091990138604570 X 5 

+ 98394038810047812049302 X 4 - 823534263439730779968091389 X 3 
+ 5138800366453976780323726329446 X 2 
- 425319473946139603274605151187659 X 
+ 737707086760731113357714241006081263. 
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However, the Weber function f 2 , when evaluated at an appropriate generator of Zk 
over Z, also yields a generator for H over K, and its irreducible polynomial is 



As Weber showed, the function f 2 can be used to generate H over K when 2 splits 
and 3 does not ramify in Q C K. The general situation illustrated by this example 
is that, despite the content of 7.6, it is sometimes possible to use a function / of 
high level, like the Weber function f 2 G JF 48 of level 48, to generate the Hilbert 
class field H of conductor 1. The attractive feature of such high level functions 
/ is that they can be much smaller than the j-function itself. In the case of f 2 , 
the extension Q(j) C Q(f 2 ) is of degree 72 by 6.12, and this means that the size 
of the coefficients of class polynomials using f 2 is about a factor 72 smaller than 
the coefficients of Hil^-(X) itself. Even though this is only a constant factor, and 
complex multiplication is an intrinsically 'exponential' method, the computational 
improvement is considerable. For this reason, Weber's use of 'small' functions has 
gained renewed interest in present-day computational practice. 

Shimura's reciprocity law 7.13 is a convenient tool to understand the occurrence 
of class invariants, i.e., modular functions / G T of higher level that generate the 
Hilbert class field of K when evaluated at an appropriate generator r of Zk- Clas- 
sical examples of such functions used by Weber are 7 2 = ^fj and 73 = y/j — 1728, 
which have level 3 and 2. As is clear from 6.12, the j-function can also be con- 
structed out of even smaller building blocks involving the Dedekind ^-function 
6.11. Functions that are currently employed in actual computations are 



which are of level 24p and 24pq. These functions, or sometimes small powers of 
them, can be used to generate H, and the resulting minimal polynomials have 
much smaller coefficients than }HIk(X). We refer to [7, Section 6.3] for the precise 
theorems, and indicate here how to use 7.13 to obtain such results for arbitrary 
modular functions / G T . 

Let / G T be any modular function of level m, and assume Q(/) C T is Galois. 
Suppose we have an explicit Fourier expansion in Q(Cm)((o ,1 ^ m )) that we can use to 
approximate its values numerically. Suppose also that we know the explicit action 
of the generators S : z 1— > 1/z and T : z z + 1 on f . Then we can determine 
the Galois orbit of /(r) for an element r G H that generates Z K in the following 
way. First, we determine elements x = X\T + x 2 G Zk with the property that they 
generate (Z K /mZ K )* /Z* K . Then the Galois orbit of /(r) over H is determined 
using 7.13, and amounts to computing the (repeated) action of the matrices g T (x) G 
GL 2 (Z/mZ) (given by the right hand side of 7.10) on /. This involves writing 
g T (x) as a product of powers of S and T and a matrix °) acting on / via its 
Fourier coefficients. Although / may have a large GL 2 (Z/mZ)-orbit over Q(j), 
the matrices g T (x) only generate a small subgroup of GL 2 (Z/mZ) isomorphic to 
{Zk /tuZkY /Z* K , and one often finds that the orbit of / under this subgroup is 
quite small. In many cases, one can slightly modify /, multiplying it by suitable 



X 7 + X 6 -X 5 - 



X 4 - X 3 + X 2 + 2X + 1. 



(8.1) 



V(pz) 
rj(z) 



and 



rj(pz)r}(qz) 
rj(pqz)r](z) ' 
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roots of unity or raising it to small powers, to obtain an orbit of length one. This 
means that / G T is invariant under g T [Z* K ] C GL 2 (Z). As we have the fundamental 
equivalence 

(8.2) /( T f = /(r) ^ /*(•) = /, 

this is equivalent to finding that /(r) is a class invariant for K = Q(r). The 
verification that gv[Zy stabilizes / takes place modulo the level m of /, so it 
follows from 7.12 that if /(r) is a class invariant for K = Q(r), then /(r') is a 
class invariant for K' = Q(r') whenever r' G H is a generator of Z^' that has an 
irreducible polynomial congruent modulo m to that of r. In particular, a function 
of level m that yields class invariants does so for families of quadratic fields for 
which the discriminant is in certain congruence classes modulo 4m. 

If /(t) is found to be a class invariant, we need to determine its conjugates 
over K to determine its irreducible polynomial over K we did in 6.8 for j(r). This 
amounts to computing /(r) crc as in 6.9, with c ranging over the ideal classes of 
C\k- If we list the ideal classes of Cl^- as in Section 6 as integer triples (a, 6, c) 
representing the reduced quadratic forms of discriminant Ak, the Galois action of 
their Artin symbols in 6.9 may be given by 

j(r) (a,-M =j( ^gE^). 

For a class invariant /(r) a similar formula is provided by Shimura's reciprocity 
law. Let a = Z • ~ b+v ?f~ 4 — + Z • a be a Z^-ideal in the ideal class corresponding 
to the form (a, 6, c). Then the Z^-ideal clZk is principal as Z^-ideals are locally 
principal, and we let x G be a generator. The element x is a finite idele in 
K*, and the Artin symbol of x _1 acts on /(r) as the Artin symbol of the form 
(a,-b,c). We have U = g^ ^M' 1 G GL 2 (Z) for the matrix M G GL 2 (Q) + 
defined by [r, 1}M = [ b + v ^~ 4ac , 2a], since U stabilizes the Z^-lattice spanned by 
the basis [r, 1]. Applying 7.13 for the idele x~ x yields the desired formula 



j^ r ^{a-b,c) _ jU -b+Vb 2 -4ac ^ 

This somewhat abstract description may be phrased as a simple explicit recipe for 
the coefficients of U G GL 2 (Z), which we only need to know modulo m, see [24]. 

There are limits to the improvements coming from intelligent choices of modular 
functions to generate class fields. For any non-constant function / G J 7 , there is a 
polynomial relation ^(j, f) = between j and /, with $ e C[I, Y] some irreducible 
polynomial with algebraic coefficients. The reduction factor one obtains by using 
class invariants coming from /, if these exist, instead of the classical j-values is 
defined as 

= de g/ (fr(/,j)) 
r[J) degjWJ))- 

By [11, Proposition B.3.5], this is, asymptotically, the inverse of the factor 

lim MZM). 

/i(j(t))-oo h(j(r)) 
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Here h is the absolute logarithmic height, and we take the limit over all CM- 
points SL 2 (Z) ■ r G H. It follows from gonality estimates for modular curves [3, 
Theorem 4.1] that r(f) is bounded from above by 24/Ai, where Ai is a lower 
bound for the smallest positive eigenvalue of the Laplacian (as defined in [16]) 
on modular curves. The best proved lower bound Ai > [12, p. 176] yields 

r(f) < 32768/325 « 100.8, and Selberg's conjectural bound Ai > 1/4 implies 
r(f) < 96. Thus Weber's function f 2 , which has r(f) = 72 and yields class invariants 
for a positive density subset of all discriminants, is close to being optimal. 
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